Holiday 
e-mails 




can 
a danger 

Experts are warning i 
about viruses in ; 
infected attachments : 

By David l. Wilson : 

Mercury News Washington Bureau 

WASHINGTON — The holiday season is often a 
time when computer users pass around amusing 
electronic animations via e-maiL Although most of 
these attachments are harmless, some may hide 
destructive computer virus- 
es. 

Indeed, anti-virus watch- IW^^^j^F 
dogs identified a new virus m wBmWFQk 
this week that masquerades 00001 CM 
as an innocuous bunch of in|JjJLLifi 
digital photos but actually jg^jgi 
plants a time bomb that will vK^!g$ 
erase the computer's hard 
drive on Jan. 1,2000. 

Because that's the same 
date that the Y2K bug is ex- 
pected to cause many comput- Virus fighters 

er systems to crash, the virus ; 

might fool users into believing expect more] 
they have a Y2K problem. ** 

Virus fighters expect more viruses 

viruses linked to Y2K to - * 

emerge as Jan. 1 approaches, linked to Y2K 

and they are once again beg- « 

ging computer users to avoid to emerge as 

opening e-mailed attach- * 

ments. Jan, 1 

"We're telling people to be 

very wary of electronic Christ- approaches, 
mas cards/' said Sal Viveros, a 
virus expert with Network As- 
sociates Inc., based in Santa Clara 

The Mypics worm, as this latest threat is called, 
arrives attached to what appears to be e-mail from 
a friend or associate that says, "Here's some pic- 
tures for you!" 

Opening the attached file, Pics4You.exe, will in- 
fect your computer with the virus, which will at- 
See VIRUSES, Page 3C 
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Many computer viruses travel as innocent-looking files attached 
electronic mail. With the holiday season upon us, people often e-mafl;^ 
electronic greetings and photographs to friends and family members, S| 
but not every file that comes with an e-mail is saf&This year poses^f 
special hazards, according to anti-virus experts,; because many virus 
writers may use theY2K bug to hide their TnischietThis week^anti- ^l 
viruis companies detected & newr virus, nam^d Mypips/that cpujdf ^ 
erase a computer's Hard drive on ^^^^^M^^i^&f^ 

v, attachment^ 



2 WORM REPRODUCES - ( 
If you open the attachment, the wormf 
? willsend itself to 50 people in your y| 
^rMicrosoftOutlook address boo%te^ 
also changes the home page HyouS 
Microsoft internet Explorer browsers! 





toa pornographic site^- 



WQRMWAITS 

On Jan. 1, 20Q0, the worm wilt overwrite > 
key system data; The user will see an < 
apparent Y2K~related error when . - 
starting up the computer. The worm will 
then destroy all data on the hard drive; 



HOW TO PROTECT YOURSELF 

Avoid opening attachments to e-mail if possible. If you want the attachment 
call the sender and verify its contents before opening it Update virus 
protection software weekly and use it to scan attachments. Back up critical 
data regularly. 



Source: Symantec Corp. 
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tempt to mail itself to 50 people it 
finds in your Microsoft Outlook e- 
mail address book. It will also 
change the home page of your Mi- 
crosoft Internet Explorer Web 
browser to a pornographic site. 

The real damage occurs Jan. 1, 
when the virus will change the com- 
puter's most basic software and at- 
tempt to erase the hard drive. 

The increasing frequency of alerts 
relating to tilings like electronic vi- 
ruses is prompting renewed calls for 
safe computing, but few experts ex- 
pect users to change their habits. 

"It would be great if everybody 
followed the rule: Never open e-mail 
attachments if you can help it," said 
Carey Nachenberg, chief researcher 
at Symantec's anti-viral research 
center. "But I don't think they will." 

In general, just looking at an infec- 
ted e-mail can't hurt; users have to 
do something else to activate the vi- 
rus and infect their system. Typical- 
ly, a virus comes as an attachment to 
e-mail, such .as a document that can 
be read only with a word processor 
like Microsoft Word. 

Clicking on the attachment to 
read the document can infect the us- 
er's machine with any virus that was 
lurking on the sender's machine. A 
virus is dangerous because it can al- 
ter or destroy data. 

Until recently, experts advised us- 
ers to simply avoid opening attach- 
ments sent by people they' didn't 
know. Unfortunately, the most trou- 
blesome viruses today spread by 
fooling people into believing the 
document was sent by a Mend 

For instance, Mypics attempts to 
mail copies of itself to anyone in the 
user's e-mail address book. Anyone 
receiving such a missive from, say, 
their brother, might open that at- 
tachment without thinking about it. 

Most software vendors are aware 
of the problem and take steps to get 
around it For instance, Blue Moun- 
tain Arts, a purveyor of electronic 
greeting cards, doesn't send the card 
via e-mail, just a Web address, which 
can be accessed though any brows- 
er. 

Jared P. Schutz, the company's ex- 
ecutive director, said that's the only 
way to be safe. "I would highly rec- 
ommend that people avoid opening 
attached files, even from people that 
they know," he said. 



That's the standard advice, but no- 
body expects attachments to disap- 
pear tomorrow, despite the warn- 
ings. 

"I can't tell you whether we've still 
got a lot of people who just haven't 
gotten the message — newbies — or 
whether it's people who should 
know better but do it anyway," said 
Sandra Sparks, director of the Ener- 
gy Department's Computer Incident 
Advisory Capability, which works to 
ensure the security of government 
computer systems. "Maybe it's the 
same kind of thing that happens with 
people who don't wear a seat belt" 

Although many corporations scan 
all incoming e-mail and destroy any 
known virus before it's delivered in- 
to an employee's mailbox, very few 
Internet service providers offer such 
a feature, largely because examining 
every single data packet that flows 
into the pipes can slow service. 

So for now, anti-virus protection 
is largely the responsibility of indi- 
viduals. 

To protect against all viruses, ex- 
perts say virus protection software 
should be updated weekly. 



Attachments generally should be 
avoided. If you receive an attach- 
ment that you want, contact the 
sender and ask if it was deliberately 
sent If possible, ask that the infor- 
mation in the attachment be copied t 
and pasted into a plain e-mail file 
and resent, orpostedona Web page. 
, If that's not possible and you must 
open the attachment, make sure ifs 
scanned first with an updated anti-vi- 
ral program. 

Even with such precautions, it's 
still possible for a new, fast-moving 
virus to get through your defences. 
The only real protection users have 
is to regularly make copies of the da- 
ta on their hard drive. 

"Back up your critical stuff at 
least once a week," said Sparks. M I 
know that's annoying, and I know it 
takes time. But compare that ' 
amount of time vs. the amount of 
time you'd spend trying to rebuild 
your system, or your company, and 
that's a very small investment" 



Contact David Wilson at (202) 
383-6020 or at 
dj^m@sj7nercury. com 
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Step 1: 

A first computer 203 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-mail system 205 thereby creating 
a list of e-mail users 206. 
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Step 2: 

The first computer 203 loads and 
executes the second program that 
sends the list of e-mail users 206 
to a second computer 208. 
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Step 3: 

The second computer 208 loads and 
executes the third program that: 

specifies within the mock computer virus 

attachment 202 the e-mail 

address of the third computer 210 

as the recipient of the e-mail that is sent 

if the mock computer virus attachment 202 

is opened. 

sends the list of e-mail users 206 to 
the third computer 21 0. 

and sends an e-mail with the mock 
computer virus attachment 202 
to each e-mail address on the list i.e. 
each user 211. 
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Step 4: 

The third computer 210 loads and 
executes the fourth program which 
receives the e-mails from the users 
21 1 that open the mock computer 
virus attachment 202 and creates a 
new list of e-mail users with their 
respective e-mail addresses. 

The new list of e-mail users that 
opened the mock computer virus 
attachment 202 and those that did 
not open it, may be displayed as 
results 212 on a web page 214 or 
other report on the network. 
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Step 1: 

An e-mail user behavior 
modification server 301 
provides a program 302 
that can be downloaded to 
a computer 303. 




E-mail System 305 





E-mail User Behavior 
Modification Server 301 



Administrator/ 
Management 310 
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Step 2: 



The program 302 extracts a 
list of e-mail addresses 304 
from the e-mail system 305. 




List of E-mail 
Addresses 304 



Computer 303 



E-mail System 305 
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Step 3: 

The program 302 sends the 
list of e-mail addresses 304 
from the computer 303 
to the e-mail user behavior 
modification server 301 . 
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Step 4: 

The e-mail user behavior 
modification server 301 sends an 
e-mail with the mock computer virus 
attachment 306 to each e-mail 
address on the list i.e. each user 307. 
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Administrator/ 
Management 310 




Web Page 309 
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Step 5: 

The mock computer virus attachment 306 

will send an e-mail to the e-mail 

address of the e-mail user 

behavior modification server 301 

if the mock computer virus attachment 306 

is opened. 

The e-mail user behavior modification 
server 301 receives the e-mails from 
users 307 that open the mock computer 
virus attachment 306 and compiles a list 
of users 308 that opened the mock 
computer virus attachment 306. 




Computer 303 



E-mail System 305 




E-mail User Behavior 
Modification Server 301 



Opened mock col 
ilrus attachment 




User 307 User 307 




Administrator/ 
Management 310 



User 307 




Web Page 309 



Step 6: 

The list of users that opened 
the mock computer virus attachment 306 
and the users that were sent the e-mail 
with the mock computer virus attachment 306 
but did not open it are displayed as 
results 308 on a web page 309 or 
sent as an e-mail to the administrator / 
management 310. 
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Step 1: 

An e-mail user behavior 
modification server 401 
provides a program 402 
that can be downloaded to 
a computer 403. 



E-mail User Behavior 
Modification Server 401 
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Step 2: 



The program 402 extracts a 
list of e-mail addresses 404 
from the e-mail system 405. 
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Web Page 409 
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Step 3: 

The computer 403 sends an 
e-mail with the mock computer virus 
attachment 406 to each e-mail 
address on the list i.e. each user 407. 
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Modification Server 401 
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Step 4: 

The mock computer virus attachment 406 
will send an e-mail to the e-mail 
address of the e-mail user 
behavior modification server 401 
if the mock computer virus attachment 406 
is opened. 

The e-mail user behavior modification 
server 401 receives the e-mails from 
users 407 that open the mock computer 
virus attachment 406 and compiles a list 
of users that opened the mock 
computer virus attachment 406. 
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Step 5: 

The list of users that opened E-mail User Behavior 

the mock computer virus attachment 406 Modification Server 401 
and the users 407 that were sent the e-mail 

with the mock computer virus List \f UseT 

attachment 406 but did not open it 
are displayed as results 408 on a 
web page 409 or sent as an e-mail to 
the administrator / management 41 0. 
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Step 1: 

A first computer 503 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-mail system 505 thereby creating 
a list of e-mail users 506. 

The first computer 503 informs 
the fourth computer 515 
of the number or type of 
e-mail addresses 516 it 
extracted. Nq/fiberor 

of E-mail 
ddresses 516 




List of E-mail Users 506 
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Step 2: 

The first computer 503 loads and 
executes the second program that 
sends the list of e-mail users 506 
to a second computer 508. 



The fourth computer 515 
gives authorization 517 to the 
first computer 503 to send 
the list of e-mail users 506 
to the second computer 508. 



Third Computer 510 



Fourth Computer 515 



User 511 User 511 User 511 
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Step 3: 

The second computer 508 loads and 
executes the third program that: 

specifies within the mock computer virus 
attachment 502 the e-mail address of the 
third computer 51 0 as the recipient of the 
e-mail that is sent if the mock computer 
virus attachment 502 is opened; 
upon receipt of authorization 51 7 
sends the list of e-mail users 506 to 
the third computer 510; 
and upon receipt of authorization 517 
sends an e-mail with the mock 
computer virus attachment 502 
to each e-mail address on the list 
i.e. each user 511. 

Authorization 517 
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Step 4: 

The third computer 510 loads and 
executes the fourth program which 
receives the e-mails from the users 
511 that open the mock computer 
virus attachment 502 and creates a 
new list of e-mail users with their 
respective e-mail addresses. 

The new list of e-mail users that 
opened the mock computer virus 
attachment 502 and those that did 
not open it, is sent as results 512 
to the fourth computer 515. 
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Step 5: 

The fourth computer 515 gives 
authorization 517 to the third 
computer 51 0 to post the 
results 512 to the web page 514 




First Computer 503 
A 



EM EH [H 

User 511 User 511 User 511 



E-mail System 505 




Third Computer 510 
Results 512 




Fourth Computer 515 



Web Page 514 



Drawing 5, page 3 of 3 



